Skip to content

Reducing your digital risks: Basics to remember

Reducing your digital risks: Basics to remember

Freelance journalists juggle a lot. Trying to protect confidential information and sources can seem like a complex task. In our recent Digital Security Surgery for Freelancers we looked at how to make it manageable.

In May Rory Peck Trust kicked off our google hangout series of “Digital Security Surgeries” with Daniel Ó Clunaigh, an associate trainer with Tactical Tech, who told us ways of identifying potential digital risks and developing strategies for them. You can visit the Hangout’s page, check out the Twitter conversation at #RPThangout, or watch the results here.



Here are the main points from the hangout:


Think about the information you have, or plan to collect. How sensitive is it?
What is the information, and what makes it sensitive? It could be the findings and facts of your story, or the names and details of the sources you’re working with. What would be the impact of its eventual publication or leaking? Consider the substance of your material and its potential impact.

(Example: The identity of my contacts is extremely sensative and they face serious personal safety risks if identified.)

What are the technological trends and applicable laws?
Look at how you’ll be storing, carrying and electronically sending confidential files and communications. What are the laws in those areas? Is the internet heavily censored or monitored? Will the technology you plan to use work, and is it legal? Here you’ll want to research applicable laws and read recent reports on internet censorship and freedom of expression there. Talk to colleagues and ask other experienced freelancers who've worked there.

(Example: Belarus has started trying to block access to a number of internet privacy systems in the country, including Tor).

Who are the actors?
You’re one. Your sources are others. These include the commissioning publication or platform you're working for, and who you interact with there as well. It also includes any adversaries (those who wouldn’t want you to produce the story) and advocates (anyone supporting your work). Don’t forget the service providers you use (mobile, internet, etc.). Write down who they are and where they fit in. What access would each possibly have to the information you want to protect, and how would they have it?

(Example: The officials my whistle blower contact wishes to expose may be able to submit a court order for records from my mobile phone service provider.)

What’s happened before?
What are the indicators or precedents that have made you decide that this is sensitive content that needs extra protection? Here, you’re answering why you think there’s a threat. Look up records of arrests, a history of invasive surveillance or hacking by one or more of the actors you’ve identified as “adversaries” and how those situations turned out.

(Example: Journalists in Ethiopia have been increasingly targeted with malware attacks, according to University of Toronto's Citizen Lab.) 

Now then, what are the threats?
You can now start working out what threats you face and how likely it is that you’ll deal with them. Consider your adversaries and what kinds of access they may have, general trends and digital threats you've learned about in the region, and recent cases involving other journalists.

(Example: Border guards may want me to show them what’s on my computer. Risk: likely.)

Finally, what measures will you take?
This is your plan. You’ve identified the threats and you’re ready to look at reducing the risks of them happening or limiting their impact if they do happen. You may decide that you need to learn how to use a specific piece of technology, like how to encrypt a file or use an internet proxy service. You may want to look at setting up an agreement with your contacts on how to communicate using specific email addresses or anonymous chat, or just use code to set up a meeting in person. You may decide that you need to back-up some files on a devices other than your personal computer. 

(Example: My contact will go through another person to send me an encrypted email when it's time to meet. We will both not bring our mobile devices to the location to avoid a data trail that will link the two of us to being in the same place.)

Remember: Don’t be intimidated, and Keep it simple.
Digital security often seems more intimidating than it needs to be. As Dan said, “Humans are natural security analysts. We carry out risk assessment all the time.” You cannot create or manage a situation in which you’re always anonymous online or one in which all your communications are .100% secured, and attempting to do so would be exhausting. So first, give yourself a break. Now, it’s still entirely realistic and achievable to create windows of greater security in which you can send a file or have a conversation (or at least organise one), or store some vital information you don’t want accessible to others… before your story comes out.

(Examples: To see how this exercise could look in practice, try Dan Ó Clunaigh’s own template, in the form of this spreadsheet. You may want to include some of these elements in a communication plan.)
 

Use Rory Peck Trust’s Online Resources

 

Tell us what you think!

 

Source material and notes cited by Dan Ó Clunaigh


You can download it here.
 

Andrew Ford Lyons is the digital producer for Rory Peck Trust. You can contact him via encrypted email using this PGP key.

We use cookies to give you the best experience of using this website. To accept our cookies, click here or read our Cookie Policy for more information.